Hacker101 CTF {Micro-CMS-v1}

CHALLENGE DESCRIPTION

Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free educational site for hackers, run by HackerOne. This CTF is another integral component in our plans to make the world a better place, one bug at a time

---

Challenge Information

• Category: Web

• Difficulty: Very Easy

• Objective: Exploit web vulnerabilities to retrieve the flag.

• Tag : IDOR , XSS, SQLi

---

Identifying Functionality

Upon accessing the Micro-CMS-v1 website, the following functionalities were observed:

• Testing Page (/page/1) – Sample page already created.

• Markdown Page (/page/2) – A sample markdown page has already been created.

• Edit(/page/edit/{id}) – To edit page.

• Create Page (/page/create) – Create new page with Title and Content.

Landing page once visiting the URL

Testing Page /page/1

Edit page for /page/edit/2

Create Page /page/create

---

SOLUTION

IDOR

Vulnerability Analysis

• The edit page was vulnerable to IDOR due to improper access control.

• The application used sequential numerical IDs, allowing an attacker to manipulate them.

• By modifying the id parameter, an attacker could edit another user's page, leading to unauthorized content changes and potential data leaks.

Exploitation Steps

1. Navigate to the /page/{id} and /page/edit/{id}.

/page/1

1. Change the ID to another number. Examples 1 and 2.

/page/edit/2

1. The attacker can view and edit another user’s content if unauthorized access is granted.

/page/edit/6

1. This confirms the IDOR vulnerability, allowing unauthorized modifications.

---

SQL Injection

Vulnerability Analysis

• The edit page was vulnerable to SQL Injection due to unsanitized user input being directly inserted into SQL queries.

• This allowed attackers to manipulate database queries, retrieve sensitive information, and modify stored records.

Exploitation Steps

1. Navigate to the edit endpoint /page/edit/{id}.

2. Inject a basic SQL Testing Payload into /page/edit/{id}'

/page/edit/1'

1. If successful, unauthorized data is retrieved

---

Stored XSS

Vulnerability Analysis

• The page creation and editing functionalities (/page/create, /page/edit/{id}) were vulnerable to Stored Cross-Site Scripting (XSS).

• Malicious JavaScript could be injected into the Title field.

• Whenever another user viewed the affected page, the script would execute, leading to session hijacking and credential theft.

Exploitation Steps

1. Navigate to the page creation/page/create.

/page/create

1. Submit a Testing Payload in the Title and Content Field.

Sample XSS script being used.

1. When another user views the page, it will trigger the script.

Proof of XSS being trigger

---

Reflected XSS

Vulnerability Analysis

• The page creation and editing functionalities (/page/create, /page/edit/{id}) were vulnerable to Reflected Cross-Site Scripting (XSS).

• Malicious JavaScript could be injected into the Content field.

• When a victim clicks the button, the script is executed.

Exploitation Steps

1. Navigate to the page creation/page/create.

2. Inject a malicious payload into the button element.

/page/create

1. If the application does not sanitize input, clicking the button triggers the JavaScript execution

XSS being trigger

1. When the victim clicks the button, the flag is reflected in the Dev-Tools, confirming the Reflected XSS vulnerability

Reflected Flag in Source Code

---